Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A non-transitory computer readable medium having stored thereon machine readable instructions to provide pre-cognitive security information and event management (SIEM), the machine readable instructions, when executed, cause at least one processor to: use trained classifiers to detect an anomaly in input events, wherein the trained classifiers are trained to learn patterns of clusters based on training events, and the trained classifiers comprise machine learning-based classifiers; generate a predictive attack graph based on the anomaly, wherein the predictive attack graph is to provide an indication of different paths that can be taken from an asset that is related to the anomaly to compromise other selected assets in a network of the asset, and wherein the other selected assets are selected based on a ranking criterion and a complexity criterion; generate a rank list based on the ranking criterion to include the other selected assets; generate a complexity list based on the complexity criterion to include complexities that are related to vulnerabilities that exist in services with respect to the other selected assets; and use the rank list, the complexity list, a depth of the predictive attack graph, and a weighted value corresponding to assets that can be reached from a current asset to generate a score that provides an indication of a number of assets that can be compromised and a difficulty of exploiting vulnerabilities related to services of the assets that can be compromised.
This invention relates to pre-cognitive security information and event management (SIEM) systems that leverage machine learning to enhance threat detection and predictive analysis in network security. The system addresses the challenge of identifying and prioritizing potential security threats before they materialize by analyzing event data to detect anomalies and predicting attack paths. The system uses trained machine learning classifiers to detect anomalies in input events by learning patterns from clusters of training events. Upon detecting an anomaly, it generates a predictive attack graph that maps potential attack paths from an affected asset to other assets in the network. The system selects these target assets based on a ranking criterion (e.g., asset importance) and a complexity criterion (e.g., vulnerability severity). It then generates a rank list of prioritized assets and a complexity list detailing vulnerabilities in services associated with those assets. The system calculates a score that quantifies both the number of assets at risk and the difficulty of exploiting their vulnerabilities. This score considers the depth of the attack graph, the weighted importance of reachable assets, and the complexity of vulnerabilities. The result is a proactive security assessment that helps prioritize mitigation efforts based on predicted attack feasibility and impact.
2. The non-transitory computer readable medium of claim 1 , wherein to generate the predictive attack graph, the machine readable instructions, when executed, further cause the at least one processor to: determine a rank of one asset of the other selected assets; and in response to a determination that the rank is greater than or equal to a rank threshold, select a path associated with the one asset to be added to the predictive attack graph.
This invention relates to cybersecurity, specifically to systems for generating predictive attack graphs to identify potential vulnerabilities in a network. The problem addressed is the need to prioritize and visualize attack paths based on asset criticality, enabling more effective security resource allocation. The system generates a predictive attack graph by analyzing a network's assets and their interconnections. It evaluates the criticality of each asset, assigning a rank based on factors such as sensitivity, accessibility, or business impact. Assets exceeding a predefined rank threshold are prioritized, and attack paths involving these high-ranking assets are selected for inclusion in the graph. This ensures that the most critical vulnerabilities are highlighted, allowing security teams to focus on mitigating the most impactful threats. The predictive attack graph is constructed by mapping out possible attack vectors, starting from initial entry points and progressing through the network to high-value targets. By incorporating asset ranking, the system filters out less critical paths, reducing complexity and improving actionability. The resulting graph provides a prioritized view of potential attack scenarios, helping organizations allocate defensive measures more efficiently. This approach enhances threat detection and response by focusing on the most critical assets and pathways.
3. The non-transitory computer readable medium of claim 1 , wherein to generate the rank list, the machine readable instructions, when executed, further cause the at least one processor to: determine a rank of one asset of the other selected assets; and in response to a determination that the rank is greater than or equal to a rank threshold, add the one asset to the rank list.
The invention relates to a system for ranking and selecting assets, such as financial instruments, based on their performance or other criteria. The system addresses the challenge of efficiently identifying high-performing assets from a large dataset by using computational methods to filter and rank them. The core functionality involves generating a ranked list of assets by evaluating their individual ranks against a predefined threshold. If an asset's rank meets or exceeds this threshold, it is included in the final ranked list. This process ensures that only the most relevant or high-performing assets are selected for further analysis or investment. The system may also involve preprocessing steps to select a subset of assets from a larger pool before ranking them. The ranking mechanism can be based on various metrics, such as historical returns, risk-adjusted performance, or other financial indicators. The invention aims to improve decision-making by automating the asset selection process, reducing manual effort, and enhancing accuracy in identifying top-performing assets. The system is implemented using machine-readable instructions executed by a processor, ensuring scalability and adaptability to different asset types and ranking criteria.
4. The non-transitory computer readable medium of claim 1 , wherein to generate the rank list, the machine readable instructions, when executed, further cause the at least one processor to: determine a rank of one asset of the other selected assets; determine whether a privilege associated with a user for the one asset has been previously traversed; and in response to a determination that the privilege has been previously traversed, and the rank of the one asset is greater than or equal to a rank threshold, add the one asset to the rank list.
This invention relates to a system for ranking and filtering assets in a computing environment, particularly for managing user access privileges. The problem addressed is the need to efficiently generate a ranked list of assets while considering user privileges and avoiding redundant traversal of previously accessed assets. The system determines a rank for each asset and checks whether the associated user privilege has been previously traversed. If the privilege has been traversed and the asset's rank meets or exceeds a predefined threshold, the asset is added to the ranked list. This ensures that only relevant assets are included, optimizing performance and reducing unnecessary processing. The system leverages machine-readable instructions executed by a processor to implement this logic, ensuring efficient privilege management and asset ranking in environments where access control and prioritization are critical. The invention improves upon existing methods by dynamically filtering assets based on both rank and privilege history, enhancing both security and performance in access control systems.
5. The non-transitory computer readable medium of claim 1 , wherein to generate the complexity list, the machine readable instructions, when executed, further cause the at least one processor to: determine a complexity related to a vulnerability that exists in a service of one asset of the other selected assets; and in response to a determination that the complexity related to the vulnerability that exists in a service of the one asset is less than a complexity threshold, add the complexity to the complexity list.
6. The non-transitory computer readable medium of claim 1 , wherein to generate the complexity list, the machine readable instructions, when executed, further cause the at least one processor to: determine a pre-condition associated with a service of one asset of the other selected assets; determine a post-condition associated with a service of the one asset; determine a complexity related to a vulnerability that exists in the service of the one asset; and in response to a determination that the complexity is less than a complexity threshold, and the pre-condition matches the post-condition, add the complexity to the complexity list.
This invention relates to cybersecurity risk assessment, specifically evaluating vulnerabilities in services associated with assets within a network. The problem addressed is the need to efficiently identify and prioritize vulnerabilities based on their complexity and impact, ensuring effective risk management. The system generates a complexity list by analyzing services of selected assets. For each service, it determines a pre-condition and a post-condition, which define the state of the system before and after the service is executed. The system also assesses the complexity of a vulnerability present in the service, comparing it to a predefined complexity threshold. If the complexity is below the threshold and the pre-condition matches the post-condition, the complexity value is added to the complexity list. This process helps prioritize vulnerabilities that are both low in complexity and have consistent pre- and post-conditions, indicating a higher likelihood of exploitation. The invention improves upon existing methods by incorporating both vulnerability complexity and state consistency into risk assessment, enabling more accurate and actionable prioritization of security risks. This approach ensures that vulnerabilities with lower complexity and predictable conditions are flagged for immediate attention, reducing the likelihood of successful cyberattacks.
7. The non-transitory computer readable medium of claim 1 , wherein the machine readable instructions, when executed, further cause the at least one processor to: determine a path in the predictive attack graph that can be taken to compromise one asset of the other selected assets; determine an occurrence of an attack associated with the path; and create an ephemeral rule to prevent compromises of the other selected assets based on the occurrence.
This invention relates to cybersecurity, specifically to systems that analyze and mitigate potential attack paths in a network. The problem addressed is the difficulty in proactively identifying and preventing cyberattacks by dynamically assessing vulnerabilities and generating temporary security rules. The system constructs a predictive attack graph representing potential attack paths within a network, where nodes represent assets and edges represent possible attack vectors. It selects a subset of assets to protect and identifies a specific path in the graph that could lead to the compromise of one of these assets. Upon detecting an actual attack attempt along this path, the system generates an ephemeral (temporary) security rule to block similar attacks targeting the other selected assets. This rule is dynamically created in response to the detected threat and may be adjusted or removed as conditions change. The approach improves security by leveraging real-time attack data to enforce temporary, context-aware restrictions, reducing the risk of lateral movement and further compromises within the network. The system dynamically adapts to emerging threats without requiring manual intervention, enhancing the responsiveness of security measures.
8. The non-transitory computer readable medium of claim 1 , wherein the machine readable instructions, when executed, further cause the at least one processor to: generate recommendations to overcome an attack related to the anomaly in the input events, wherein the recommendations include options related to at least one of minimizing a time associated with a loss of service, minimizing damage to physical assets, and minimizing a cost associated with the loss of service.
This invention relates to cybersecurity systems that detect and respond to anomalies in input events, such as network traffic or system logs, to identify potential attacks. The system analyzes these events to detect deviations from normal behavior, indicating a possible security threat. Once an anomaly is detected, the system generates actionable recommendations to mitigate the attack. These recommendations focus on minimizing the impact of the attack by reducing service downtime, protecting physical assets from damage, and lowering financial losses associated with the disruption. The system evaluates the severity and nature of the anomaly to tailor the recommendations, ensuring an effective response that aligns with organizational priorities. By automating the detection and response process, the invention enhances cybersecurity resilience and reduces the need for manual intervention. The solution is particularly useful in environments where rapid response is critical to prevent significant harm.
9. The non-transitory computer readable medium of claim 1 , wherein to generate the score, the machine readable instructions, when executed, further cause the at least one processor to: determine a real-time connectivity model of the network; and use the real-time connectivity model to update the generation of the score.
10. A pre-cognitive security information and event management (SIEM) apparatus comprising: at least one processor; an anomaly detection module, executed by the at least one processor, to use trained classifiers to detect an anomaly in input events, wherein the trained classifiers are trained to learn patterns of clusters based on training events, and the trained classifiers comprise machine learning-based classifiers; and a predictive attack graph generation module, executed by the at least one processor, to generate a predictive attack graph based on the anomaly in the input events, wherein the predictive attack graph is to provide an indication of different paths that can be taken from a state that is related to the anomaly to compromise other selected states related to the state, wherein the other selected states are selected based on a ranking criterion and a complexity criterion, and wherein the predictive attack graph generation module is to generate a rank list based on the ranking criterion to include the other selected states, generate a complexity list based on the complexity criterion to include complexities that are related to vulnerabilities with respect to the other selected states, and use the rank list, the complexity list, and a depth of the predictive attack graph to generate a score that provides an indication of a number of states that can be compromised and a difficulty of exploiting vulnerabilities with respect to the states that can be compromised.
11. The pre-cognitive STEM apparatus according to claim 10 , wherein the state is related to other states, and wherein to generate the predictive attack graph, the predictive attack graph generation module is further executed by the at least one processor to: determine a rank of one state of the other states; and in response to a determination that the rank is greater than or equal to a rank threshold, select a path associated with the one state to be added to the predictive attack graph.
12. The pre-cognitive SIEM apparatus according to claim 10 , wherein the state is related to other states, and wherein to generate the complexity list, the predictive attack graph generation module is further executed by the at least one processor to: determine a complexity related to a vulnerability that exists in one state of the other states; and in response to a determination that the complexity is less than a complexity threshold, add the complexity to the complexity list.
A pre-cognitive Security Information and Event Management (SIEM) system is designed to proactively identify and mitigate cybersecurity threats by analyzing system states and predicting potential attack paths. The system addresses the challenge of detecting and responding to sophisticated cyber threats before they materialize, leveraging predictive attack graph generation to assess vulnerabilities and their potential exploitation. The system includes a predictive attack graph generation module that evaluates the relationships between different system states to model possible attack scenarios. This module determines the complexity associated with vulnerabilities present in these states. If the complexity of a vulnerability is below a predefined threshold, it is added to a complexity list, which prioritizes vulnerabilities based on their ease of exploitation. This approach enables the system to focus on high-risk, low-complexity vulnerabilities that are more likely to be exploited by attackers. By dynamically assessing vulnerability complexity and generating a prioritized list, the system enhances threat detection and response capabilities, allowing organizations to allocate resources more effectively and reduce the likelihood of successful cyberattacks. The predictive attack graph generation module continuously updates the complexity list as new vulnerabilities are identified or existing ones change, ensuring ongoing threat assessment and mitigation.
13. A method for pre-cognitive security information and event management (SIEM), the method comprising: using trained classifiers to detect an anomaly in input events, wherein the trained classifiers are trained to learn patterns of clusters based on training events, and the trained classifiers comprise machine learning-based classifiers; generating, by at least one processor, a predictive attack graph based on the anomaly in the input events, wherein the predictive attack graph is to provide an indication of different paths that can be taken from an activity that is related to the anomaly to compromise other selected activities related to the activity, and wherein the other selected activities are selected based on a ranking criterion and a complexity criterion; generating a rank list based on the ranking criterion to include the other selected activities; generating a complexity list based on the complexity criterion to include complexities that are related to vulnerabilities with respect to the other selected activities; and using the rank list, the complexity list, and a depth of the predictive attack graph to generate a score that provides an indication of a number of activities that can be compromised and a difficulty of exploiting vulnerabilities with respect to the activities that can be compromised.
This invention relates to pre-cognitive security information and event management (SIEM) systems, which aim to proactively detect and mitigate cybersecurity threats before they escalate. Traditional SIEM systems often rely on reactive approaches, identifying threats only after they occur. This invention addresses the problem by using machine learning-based classifiers to detect anomalies in input events by learning patterns from training data. The trained classifiers analyze event clusters to identify deviations that may indicate potential security threats. Once an anomaly is detected, the system generates a predictive attack graph that maps out possible attack paths from the anomalous activity to other related activities that could be compromised. The system selects these activities based on a ranking criterion, which prioritizes them by importance, and a complexity criterion, which assesses the difficulty of exploiting vulnerabilities associated with them. A rank list is generated to prioritize the selected activities, while a complexity list details the vulnerabilities and their associated difficulties. The system then calculates a score that combines the rank list, complexity list, and the depth of the predictive attack graph. This score quantifies both the number of activities that could be compromised and the difficulty of exploiting their vulnerabilities, providing security teams with actionable insights to preemptively mitigate threats. By integrating predictive modeling and machine learning, this approach enhances threat detection and response capabilities in SIEM systems.
14. The method according to claim 13 , wherein the activity is related to other activities, and wherein generating the predictive attack graph further comprises: determining a rank of one activity of the other activities; and in response to a determination that the rank of the one activity is greater than or equal to a rank threshold, selecting a path associated with the one activity to be added to the predictive attack graph.
15. The method according to claim 13 , wherein the activity is related to other activities, and wherein generating the complexity list further comprises: determining a complexity related to a vulnerability that exists in one activity of the other activities; and in response to a determination that the complexity is less than a complexity threshold, adding the complexity to the complexity list.
This invention relates to a method for assessing and managing the complexity of activities within a system, particularly in the context of identifying and mitigating vulnerabilities. The method is designed to improve risk assessment by evaluating the interdependencies between activities and their associated vulnerabilities. The method involves analyzing a set of activities to determine their relationships with other activities. For each activity, the method assesses the complexity associated with a vulnerability present in one of the related activities. If the determined complexity is below a predefined threshold, the complexity value is added to a complexity list. This list is used to prioritize activities based on their risk levels, enabling more effective vulnerability management. The method also includes generating a complexity list by evaluating the impact of vulnerabilities across interconnected activities. By comparing the complexity of each vulnerability to a threshold, the method ensures that only significant risks are included in the assessment. This approach helps in identifying high-risk activities that may require immediate attention, improving overall system security and operational efficiency. The method is particularly useful in systems where activities are interdependent, such as software development, cybersecurity, or project management, where understanding the complexity of vulnerabilities is critical for risk mitigation.
Unknown
September 29, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.